201224836 六、發明說明: 【發明所屬之技術領域】 本發明係關於一種惡意程式偵測裝置、惡意程式偵測方法及其 電腦程式產品。更詳細地說,本發明係關於一種用以偵測一程式 之惡意程式彳貞測裝置、惡意程式偵測方法及其電腦程式產品。 【先前技術】 隨著數位資訊的應用層面日益廣泛,資訊安全防護的意識逐漸 受到重視,帶動資訊安全防護技術的發展,目前資訊安全防護之 方式中,普遍利用防毒軟體針對病毒程式進行偵測。詳細來說, 為了避免資料遭到竊取或破壞,一般電腦中通常搭載具有病毒資 料庫之防毒軟體。其中,病毒資料庫係用以記錄目前已知之病毒 程式特徵碼(signature )。如此一來,防毒軟體將可利用特徵碼比 對之方式,——針對電腦内之檔案進行偵測。若比對結果發現有 與特徵碼相同之檔案,則可確認其為病毒程式。 然而,隨著病毒程式之迅速發展,以及各種加殼變種病毒程式 的衍生,防毒軟體之病毒資料庫更新病毒程式特徵碼之速度將不 足以應付惡意程式之成長速度。具體而言,習知的防毒軟體係利 用特徵碼比對技術進行病毒程式的偵測比對,惟特徵碼比對技術 會受限於病毒資料庫的完整性,若病毒資料庫未更新一加殼變種 之病毒程式之特徵碼,則防毒軟體即無法偵測出該加殼變種之病 毒程式,此外,防毒軟體使用特徵碼比對技術進行病毒程式的偵 測亦需要花費較長的時間。如此一來,將會降低病毒程式之偵測 率,造成資訊安全防護的漏洞,而為了不斷更新病毒資料庫,亦 201224836 必須負擔南昂的成本 综上所述’如何加速惡意行為之比對效率以及提高病毒程式之 债測率’實為該領域之技術者亟需解決之課題。 【發明内容】 本發明之-目的在於提供—種惡意程式偵測裝置。該惡意程式 偵測裝置用以僧測一程式’該程式執行一第一處理程序,該惡意 程式偵測裝置包含一儲在置; 計^ 财子早70以及-處理單元。該儲存單元用以 儲存一惡思行為資料座,兮亞立—、 ㈣m、订為貢料庫記錄—惡意程式之- 心、思仃為規範。該處理單元與 據該第-處理程序建立—第二關雜連接,並用以根 节亞立—Α 丁”、、見範,比對該第—行為規範與 。哀心思灯為規範,並產生一比斟 比對結果,根據該比對結果更新-行 為轉表,以及根據該行為記錄表判斷該程式為該惡意程式。 亞方目的在於提供’於前述惡意程式偵測裝置之 一 ' 一4式偵測裝置用以偵測一程式,且包 資料廑早额存皁凡用以儲存-惡意行為 4仃為資料庫記錄—惡意程式之-惡音行 ,理單元與該儲存單元關聯性連接,該程式執行二=二201224836 VI. Description of the Invention: [Technical Field] The present invention relates to a malicious program detecting device, a malicious program detecting method and a computer program product thereof. More specifically, the present invention relates to a malware detection device, a malicious program detection method, and a computer program product thereof for detecting a program. [Prior Art] With the increasing application of digital information, the awareness of information security protection has gradually received attention and promoted the development of information security protection technology. Currently, in the way of information security protection, antivirus software is commonly used to detect virus programs. In detail, in order to prevent data from being stolen or destroyed, an anti-virus software with a virus database is usually installed in a computer. Among them, the virus database is used to record the currently known virus program signature. In this way, the anti-virus software will be able to use the signature matching method to detect files in the computer. If the comparison finds that there is a file with the same signature, you can confirm that it is a virus program. However, with the rapid development of virus programs and the derivation of various types of virus-added variants, the anti-virus software database will not update the virus signatures at a rate that is slow enough to cope with the growth of malicious programs. Specifically, the conventional anti-virus soft system uses the signature matching algorithm to detect the virus program, but the signature matching technique is limited by the integrity of the virus database, and if the virus database is not updated. The signature of the shell variant virus program, the anti-virus software can not detect the virus variant of the shell variant, in addition, the anti-virus software uses the signature code comparison technology to detect the virus program also takes a long time. As a result, the detection rate of virus programs will be reduced, resulting in information security protection loopholes. In order to continuously update the virus database, 201224836 must bear the cost of Nanang. In summary, how to accelerate the efficiency of malicious behavior comparison And to improve the debt measurement rate of the virus program' is a problem that the technicians in the field need to solve. SUMMARY OF THE INVENTION The present invention is directed to providing a malicious program detecting apparatus. The malware detecting device is configured to detect a program that executes a first processing program, the malicious program detecting device including a storage device; a metering device 70 and a processing unit. The storage unit is used to store a malicious behavior data base, 兮 亚立-, (4) m, set as a tribute library record - malicious program - heart, thinking as a norm. The processing unit is connected with the second processing program according to the first processing program, and is used for the root node, the singularity of the singularity, and the specification, and the sorrowful light is standardized and generated. A comparison result, according to the comparison result update-behavior transfer table, and judging the program as the malicious program according to the behavior record table. The purpose of the Asian side is to provide 'one of the aforementioned malicious program detection devices' - 4 The detection device is used to detect a program, and the package data is stored in an early amount for storage - malicious behavior 4 is a database record - malware - bad sound line, the unit is associated with the storage unit , the program executes two = two
;了意程式她法包含下列步驟:⑷令該處理單元根二 弟一處理程序建立-第-行為規範;(b)令該處 I 行為規範與該惡意行為規範,並產生-比對結果 元根據該㈣絲更新—行為_表;以 ()^處理早 該行為記錄表判斷該程式為該惡意程式。(K4處理單元根據 本發明之又一目的在於提供一 種電腦程式產品,内儲一 種用於 201224836 —惡意m龍置之惡意程式_方 式_装置用以偵測_程式,且包含=",該惡意程 几,該儲存單元心儲存—惡意行 處理早 記錄一 貝料’ 4惡意行為資料庫 聯二:;ί:Γ意行為規範,該處理單元與該儲存單元關 =Α Λ執行一第一處理程序,該程式指令包含:-程 式^ 該處理單元根據該第—處理程序建立—第—行為規 =311:钱&翠元比對該第―行為規範與該惡意 仃為規範,並產生一比對妹果.一 、° ,程式私々C,令該處理單元根 _ =結果更新-行為_ ;以及__令d,令該處理 早7L根據該行為記錄表判斷該程式為該惡意程式。 本發明之惡意程式偵測裝置儲存一惡意行為資料庫該惡意行 為貧料庫記錄-惡意程式之—惡意行為規範。t—程式於本發明 之惡意程式偵職置執行-第—處理程料,惡意程式偵測裝置 係:根據該第-處理程序建立—第—行為規範,比對該第一行為 規犯與該惡意行為規範,並產生—比對結果;接著,根據該比對 ^果更新-行為記錄表’並根據該行為記錄表麟該程式為該惡 意程式。藉此,本發明射歧習知防毒軟體之更新速度無法跟 上加殼變種惡意程式之增加速度的缺點,同時具有加速惡意行為 之比對效率以及提高病毒程式之偵測率之優點。 在參閱圖式及隨後描述之實施方式後,該技術領域具有通常知 識者便可瞭解本發明之其他目的,以及本發明之技術手段及實施 態樣。 【實施方式】 201224836 以下將透過實施例來解釋本發明之内容’本發明的實施例並非 用以限制本發縣在如實施觸述之任何特定的環境、應用或特 殊方式方能實施。因此,關於實施例之說明僅為闡釋本發明之目 的’而非用以限制本發明。須說明者,以τ實施例及圖式卜盘 本發明非直接相關之元件已省略而切示,且圖式#各元件間之 尺寸關係僅為求容㈣解,非用以限制實際比例。The program includes the following steps: (4) to make the processing unit root two brothers a handler to establish a - first-behavior; (b) to make the I behavior norm and the malicious behavior specification, and to generate - compare result elements According to the (4) silk update-behavior_table; the ()^ is processed to determine the program as the malicious program. (K4 Processing Unit According to still another object of the present invention, a computer program product is provided, which stores a malicious program for 201224836 - a malicious device, a device for detecting a program, and including =" The malicious process, the storage unit heart storage - malicious processing to record a bee material '4 malicious behavior database two:; ί: arbitrary behavioral norm, the processing unit and the storage unit off = Α Λ perform a first a processing program, the program instruction comprising: - a program ^ the processing unit is established according to the first processing program - the first - behavior rule = 311: money & 翠元 ratio is specified by the first "behavior specification" and the malicious ,, and is generated A comparison of the sister. First, °, program private C, so that the processing unit root _ = result update - behavior _; and __ order d, so that the processing 7L early according to the behavior record table to determine the program for the malicious The malicious program detecting device of the present invention stores a malicious behavior database, the malicious behavior, the malicious library record, the malicious program, the malicious behavior specification, and the program is executed in the malicious program of the present invention. material, The program detection device is: according to the first process, the first-behavior specification is established, and the malicious behavior is regulated according to the first behavior, and the result is compared. Then, the comparison is updated according to the comparison. - the behavior record table' and according to the behavior record, the program is the malicious program. Thereby, the update speed of the conventional anti-virus software of the present invention cannot keep up with the shortcoming of the increase speed of the malicious variant of the shell, and has the acceleration Advantages of malicious behavior versus efficiency and detection rate of virus programs. Other objects of the present invention, as well as the techniques of the present invention, will be apparent to those of ordinary skill in the art in view of the drawings and the embodiments described hereinafter. Means and Embodiments [Embodiment] 201224836 Hereinafter, the contents of the present invention will be explained by way of embodiments. The embodiments of the present invention are not intended to limit any specific environment, application, or special mode of the present invention. Therefore, the description of the embodiments is merely for the purpose of illustrating the invention, and is not intended to limit the invention. τ Examples and drawings Bu disc of the present invention is not directly related cutting elements have been omitted and shown, and dimensional relationships among individual elements are illustrated only for the receiving solution (iv), but not to limit the actual scale drawings #.
本發明之第-實施例為—惡意程式彳貞縣置1,其示意圖描繪於 第1.圖。惡意程式谓測裝置i包含一儲存單元u、一處理單元⑴ 以二:輸出單元15,其中儲存單元u以及輸出單元15分別與處 理早7L 13電性連接。錯存單元u可為記憶體、軟碟、硬碟、光 碟 '隨㈣、磁帶、可由網路存取之資料庫或所屬技術領域中且 有通常知識者可輕易思及具有相同功能之儲存媒體·處理單元^ 可為目前或未來的各種處理器、中央處理器、微處理器、計算哭 或所屬技㈣域巾具有通常知識麵_易思及具有計算: 裝置。 於本實施例中,惡意程式偵測裝置1係為一電腦。於其它實施 例中’惡意程式偵測裝置丨亦可為飼㈣、筆記型電腦、個人數 (Personal Digital Assistant, PDA) , . ^ 體播放機或其它可用以偵測惡意程式之惡意程式偵測裝置。惡意 程式偵測裝置1之實施態樣並不用以限制本發明之範圍。 -般而言’一惡意程式通常包含_個或複數個惡意行為,各個 惡意行為更包含-個或複數個處理程序(pr_ss)。而為了有效偵 測惡意程式’必顯㈣㈣規職描述惡意程紅各個處理程 201224836 序,因此,本發明定義了一 (behavior profiJe)o ^边-處理程序之行為規範 請參閱第2圖,其係描綠本發明之行 針對一處理程序所定義之行為規範2包含&^、圖。本發明 標的、執行動作以及鏈結資訊,其中執行動―::二::為執行 進行的-動作,執行標的處理f序所 鏈結資訊係指該處理程序對該 &軚的’ 訊。舉例而+,卜“ 選仃销作所涉及的執行資 意指該處心創造—個隨機名稱_」, ==檔案’因此,此處理程序的執行標的為「」: 播的路徑「aD0CUME,舰二::τ為創造該隨機名稱恤 U\L0CALS 〜l\Temp\XXXhtm」。 式^:來說,處理程序通常會透過系統呼叫(systemcaii)的方 必要:4要^的操作,而系統呼叫則帶有進行處理程序相關 自=,行為規範2中的執行標的以及執行動作便可 财攄Γ所進行的系統呼叫中擷取。行為規範2中的鍵結資訊 h Γ 里程序而有所不同,不同的處理程序因涉及不同的執行 _結資訊可以是任何相關的執行資訊,端視實際應用情 /疋’鍵結資訊的形式及内容並不用以限制本發明之範圍。 之惡意程5^貞測裝置1之儲存單元u中储存—惡意行為 2、’該惡意行為資料庫記錄了各種惡意程式之各種惡意行為 …巳:Μ下將詳述本發明之惡意程式偵測褒置】如何建立該惡意 貝料庫。S ―惡意程式於'惡意程式谓測裝置1上執行時,該 201224836 惡意程式會進行一個或複數個惡意行為,各個惡音行 行-個或複數個處理程序 。讀由執 式谓測裝置^上執行$ P惡意程式於惡意程 上執仃一處理程序時,處理單元u便依 擷取該處理程序之執 虞則述方式 理程序之彳^的、執㈣作収縣資如建立該處 同時,處理單元13 亞立一思行為規範相對應之一編碼,該編碼用以表干卞 4灯為規範’以便後續處理單元13可根據 : 否為-惡意程式。 …j #王式疋 以:=說明惡意行為資料庫之内容,以及行為規範的編碼方 1 —程式八具有—惡意行為A]以及-惡意行為A_2,亞 二^「為「修改Inte⑽E咖打_」,且更執行—處: •1打開1nternet ExPlorer中的KEY」,以及—處理鞋底 Α-1:2Γ ^ j; , t ^ Α_2 imernet Εχρΐ〇^ 並嘗试連線」’且更執行—處理程序A·〗]「創造一個隨機名稱的 加槽」’以及-處理程序Α_2:2「寫入隨機名稱的_播」 理單元13分職取處理程序从卜處理程序A_1:2、處理程序 ^以及處理程序A_2:2十的執行標的、執行動作以及鍵結資 。孔並分別建立其惡意行為規範;接著處理單元Η產生一編碼 A]:l代表處理程序A_1:1之惡意行為規範,產生一編碼A_1:2代 處里私序Α_1·2之惡意彳了為規範,產生—編碼Α_2:ι代表處理程 序A-2:1之惡意行為規範,產生—編碼a_2:2代表處理程序Μ··〕 之惡意行為規範。 根據上述方式所建立之惡意行為資料庫如第3圖所示,其係描 201224836 繪惡意行為資料庫之*㈣。惡意行為資 中各處理程序之惡意行為規範,即各處理程序之惡意程式A 行動作、鏈結資訊,以及與各處理程序相對應之編竭執行標的、執 如則所述,一惡意程式包含一個或複數個惡意行 行為更包含一個或複數個處理程序,因此^固惡意 為該惡意料時,則需判斷該程式是否 是否 程序,接著判斷該程式所執行的處理程序= 复數個處理 複數個惡意行為,進而判斷該程式所進行該-個或 成該惡意程式。據此,本發明之惡意程式_裝Γ !疋否累^構 11中更儲存-H檀資料庫,該門檀資、I之儲存早凡 所雲i 〜B 。己錄了構成一惡意程式 的仃為數Η檻值、行為城射〗檻“及行為規範種類。 4體4圖’其係描纷本發明之_料庫之* 二「惡意行為編碼」攔位係記錄各種惡意行 挪位方行為規範編碼」 所雲心亞* 插值」攔位係記錄構成一惡意行為 亞!二的惡請為規範數’·「行為數嶋」攔位係記錄構成一 惡思程式所需要的惡意行為數。 牛例來說’一惡意程式A具有—惡意行為&卜因此「惡意行 马編碼」攔位記錄Α_ι,亞咅耔盔 「 ,…仃為A-1會執行五個處理程序,因 意行為規範編碼」攔位記錄i、2、3、4及5,分別為與該 ^程相對應之五個惡意行為規範之編碼,即I代表惡意 仃為“之第-惡意行為規範,2代表惡意行為^之第二惡意 201224836 打為規,以此類推。由於惡意行為Α-ι包含五個惡意行為規範, 因此惡意行為A-!之「行為規範數門播值」搁位為$,代表若執行 了與該五個惡意行為賊相龍之五個處理料即構成惡意行為 W,由於,惡意程式八包含惡意行為^與惡意行為A因此「行 為數門檻值」攔位為2,代表若谁广 進仃了心思行為Α-1與惡意行為 Α-2二個惡意行為即構成惡意程式a。 更進步地,-惡意行為所包含之惡意行為規範可區分為基本 惡意行為規範與選擇性,惡意行為規範。具體來說,基本惡意行為 規範係指構成—惡意行為所柯或缺的惡意行為規範,而選擇性 惡祕錢_並非為構成—惡意行為所必要的惡意行為規範。 舉例而δ ’請參閱第4圖中的亞會并或 〜、意仃為c_4,其「惡意行為編碼 ^ 及7其中卜^^及以於基本 心思行為規範,亦即欲構成惡意行為c_4必須包含卜2、3、*及 5此五個惡思行為規範,缺一不可.而 *… *τ ’而6及7則屬於選擇性惡意行 為規範,欲構成惡意行為C_4只需句八Λ s g 而匕36及7此二個惡意行為規 之—即可。據此,惡意行為C·4之行為規範數門檻值為6, ,由五個縣惡意行為規範加上—個選擇性惡意行為規範計算 付。基本惡忍行為規範及選擇 伴丨心、思仃為規乾之種類與個數端 視貫際應用時各個惡意裎式特 ^ 伙 寺生而疋,並不用以限制本發明之 犯圍。 須特別說明者,前述儲存單元 子早兀11中所儲存之惡意行為資料庫3 以及門檻資料庫4除了可由本發 紗六入^ 知月之心思私式偵測裝置1建立並 儲存於儲存單元11中外,亦可 ,、匕凌置(如電腦、伺服器、運 201224836 算裝置等)事先建立後再傳送至惡意程式偵測裝置1,並儲存於儲 存單元11 ;或者可由其它裝置建立後儲存於一儲存裝置,惡意程 式偵測裝置1便透過與該儲存裝置連線以存取儲存於該儲存裝置 之惡意行為資料庫3以及門檻資料庫4。因此,建立與儲存惡意行 為資料庫3以及門檻資料庫4之裝置並不用以限制本發明之範圍。 接著,以下將詳述本發明之惡意程式偵測裝置1如何偵測惡意 程式,為便於理解,以下將偵測惡意程式之流程搭配實例作說明。 首先,當一程式於惡意程式偵測裝置1上執行時,該程式執行一 第一處理程序,此時,處理單元13便自該第一處理程序擷取該第 一處理程序之一第一執行標的、一第一執行動作以及一第一鍵結 資訊,其分別為「Reg」、「Openkey」以及「Software\Microsoft\Internet Explorer\Main」 ,並建立一第一行為規範 「Reg|Openkey|Software\Microsoft\Internet Explorer\Main」。接 著,處理單元13便自惡意行為資料庫3中搜尋是否有與該第一行 為規範相同之惡意行為規範,由第3圖之惡意行為資料庫3可知, 該第一行為規範與編碼為A-l:l之惡意行為規範相同,於是處理 單元13便自惡意行為資料庫3擷取出編碼A-l:l,並將編碼A-l:l 暫存於一串列表中。 另一方面,惡意程式偵測裝置1亦可能於一時間週期内同時執 行複數個程式,各程式更包含複數個處理程序,而惡意程式之偵 測係針對單一個程式作比對,以偵測各個程式是否為惡意程式; 因此,惡意程式偵測裝置1必須辨識一處理程序係由哪一個程式 所執行。據此,處理單元13更用以將與該程式相對應之一程式辨 12 201224836 識=(Ρ—)附加於該第-行為規範。舉例而言,處理單 =式_⑽式與附加_視;=::執 並不用以限制本發明之範圍。 處理單元η接著根據前述之比對結果建立並更新—行為The first embodiment of the present invention is a malicious program, which is shown in Fig. 1. The malware predicate device i includes a storage unit u, a processing unit (1), and an output unit 15, wherein the storage unit u and the output unit 15 are electrically connected to the processing 7L, respectively. The memory unit u can be a memory, a floppy disk, a hard disk, a CD's (4), a magnetic tape, a database accessible by the network, or a storage medium having the same function as those of ordinary skill in the art and having ordinary knowledge. The processing unit can have a common knowledge of current or future processors, central processing units, microprocessors, computing crying or technology (4) domain towels. In the embodiment, the malicious program detecting device 1 is a computer. In other embodiments, the malware detection device can also be used for feeding (four), notebook computers, personal digital assistants (PDAs), . . . body players or other malicious programs that can detect malicious programs. Device. The implementation of the malicious program detecting apparatus 1 is not intended to limit the scope of the present invention. Generally speaking, a malware usually contains _ or a plurality of malicious acts, and each malicious behavior further includes one or a plurality of handlers (pr_ss). In order to effectively detect malicious programs, it is necessary to describe the procedures of the malicious process each process 201224836. Therefore, the present invention defines a (behavior profiJe) o ^ edge-processing program behavior specification, please refer to FIG. 2, The behavior of the invention defined in the present invention is defined by a & The object of the present invention, the execution action and the link information, wherein the execution of the action:::2:: the action performed for the execution, the execution of the target process, the sequence of the link information refers to the process of the & For example, +, ""Executives involved in the selection of sales are meant to create a random name _", == file 'Therefore, the execution of this handler is marked with "": the path of the broadcast "aD0CUME, Ship II::τ is the creation of the random name shirt U\L0CALS ~l\Temp\XXXhtm". In the case of ^:, the processing program usually through the system call (systemcaii) side of the necessary: 4 to ^ operation, and the system call with the processing program related to =, the behavior of the implementation of the standard 2 and the implementation of the action It can be retrieved from system calls made by the company. The key information in the behavior specification 2 is different in the program. The different processing procedures may be any related execution information due to different executions. The actual application situation is the form of the key information. And the content is not intended to limit the scope of the invention. The malicious program 5^ stores the storage unit u of the device 1 - malicious behavior 2 'The malicious behavior database records various malicious behaviors of various malicious programs... 巳: The malware detection of the present invention will be detailed How to set up this malicious shell library. S - When the malicious program is executed on the malware predicate device 1, the 201224836 malware will perform one or more malicious acts, each of which will be one or more handlers. When the execution of the $P malware is executed on the malicious process by the execution device, the processing unit u follows the execution of the processing program. At the same time, if the county fund is established, the processing unit 13 corresponds to one of the codes of the behavioral specification, and the code is used to express the 4 lights as the specification' so that the subsequent processing unit 13 can be based on: No - malware . ...j #王式疋 to: = Describe the content of the malicious behavior database, and the code of the code specification 1 - program eight has - malicious behavior A] and - malicious behavior A_2, sub-2 "" to modify Inte (10) E coffee _ And, more execution - at: • 1 open the KEY in 1nternet ExPlorer, and - handle the sole Α-1:2Γ ^ j; , t ^ Α_2 imernet Εχρΐ〇^ and try to connect "and execute" - Program A·〗] "Create a random name slot" 'and -Processor Α_2:2 "Write random name _cast" The unit 13 is divided into the processing program from the processing program A_1: 2, the processing program ^ And the execution of the program A_2: 2 ten, the execution of the action and the key balance. The holes and their malicious behavior specifications are respectively established; then the processing unit generates an encoding A]: l represents the malicious behavior specification of the processing program A_1:1, and generates a code A_1: the malicious sequence of the private code Α_1·2 in the 2nd generation is Specification, Generating - Code Α_2:ι stands for the malicious behavior specification of handler A-2:1, yielding a malicious behavior specification that encodes a_2:2 for the handler Μ··]. The malicious behavior database established according to the above method is shown in Figure 3, which depicts the 201224836 mapping of malicious behavior database* (4). The malicious behavior specification of each handler in the malicious behavior, that is, the malicious program A line action of each processing program, the link information, and the corresponding execution target and the execution corresponding to each processing program, a malicious program includes One or more malicious behaviors include one or more processing procedures. Therefore, if the malicious content is malicious, it is necessary to determine whether the program is a program, and then determine the processing procedure executed by the program = a plurality of processing multiples Malicious behavior, and then determine whether the program is doing the same or as the malware. According to this, the malware of the present invention _ Γ 疋 疋 累 累 累 构 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 I have recorded the number of Η槛 、 、 行为 行为 行为 行为 行为 行为 行为 行为 行为 行为 行为 行为 及 及 及 及 及 及 及 及 及 及 及 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 It records the code of various malicious behaviors of the mobile party. "The Yunxinya* Interpolation" record constitutes a malicious act. The evil of the second is the normative number of the "number of behaviors". The number of malicious behaviors required by the program. For example, a malicious program A has a malicious behavior & The canonical record "blocking records i, 2, 3, 4, and 5, respectively, are the codes of the five malicious behavioral norms corresponding to the process, that is, I represents maliciously as the "first-malicious behavioral norm, and 2 represents malicious Behavior ^ The second malicious 201224836 is a rule, and so on. Because the malicious behavior Α-ι contains five malicious behavioral norms, the malicious behavior A-! "behavior specification number of homing value" is placed as $, on behalf of The execution of the five treatments with the five malicious behavior thieves constitutes a malicious act, because the malicious program contains malicious behavior and malicious behavior A, so the "behavior threshold" is 2, which means who Guangjin stunned the behavior Α-1 and malicious behavior Α-2 two malicious acts constitute a malicious program a. More progressively, the malicious behavioral norms contained in malicious behavior can be distinguished as basic malicious behavioral norms and selective, malicious behavioral norms. Specifically, the basic malicious behavioral specification refers to the malicious behavioral norms that constitute the guilty or malicious behavior, and the selective malicious money is not the norm of malicious behavior necessary to constitute a malicious act. For example, δ 'Please refer to the Asian Association in Figure 4 or ~, meaning c_4, its "malicious behavior code ^ and 7 in it ^ ^ and the basic mental behavior norms, that is, to constitute a malicious act c_4 must Contains Bu, 2, 3, * and 5 These five evil behavioral norms are indispensable. And *... *τ ' and 6 and 7 are selective malicious behavioral norms, want to constitute malicious behavior C_4 only sentence gossip sg And 匕36 and 7 these two malicious behavior rules - that. According to this, the behavioral norm of the malicious behavior C.4 has a threshold of 6, and is calculated by five county malicious behavioral norms plus a selective malicious behavior specification. Paying. The basic normative behavioral norms and choices of enthusiasm, thinking about the types of rules and the number of end-of-the-line applications are all malicious and special, and are not used to limit the invention. It should be specially stated that the malicious behavior database 3 and the threshold database 4 stored in the storage unit as described earlier may be created and stored in the storage by the heart-warming detection device 1 of the present invention. Unit 11 inside and outside, can also, 匕 置 (such as computer, servo The device, the 201224836 computing device, etc. are pre-established and then transmitted to the malicious program detecting device 1 and stored in the storage unit 11; or can be stored by another device and stored in a storage device, and the malicious program detecting device 1 transmits The storage device is connected to access the malicious behavior database 3 and the threshold database 4 stored in the storage device. Therefore, the device for creating and storing the malicious behavior database 3 and the threshold database 4 is not intended to limit the scope of the present invention. Next, the following describes in detail how the malware detection device 1 of the present invention detects malware. For ease of understanding, the following describes the process of detecting a malicious program with an example. First, when a program is detected by the malicious program detection device 1 When executed, the program executes a first processing program. At this time, the processing unit 13 retrieves, from the first processing program, a first execution target, a first execution action, and a first key of the first processing program. Information, which are "Reg", "Openkey" and "Software\Microsoft\Internet Explorer\Main", and establish a first behavior specification "Re g|Openkey|Software\Microsoft\Internet Explorer\Main". Next, the processing unit 13 searches the malicious behavior database 3 for the same malicious behavior specification as the first behavior specification. According to the malicious behavior database 3 of FIG. 3, the first behavior specification and the encoding are Al: l The malicious behavior specification is the same, so the processing unit 13 extracts the code Al:l from the malicious behavior database 3, and temporarily stores the code Al:l in a list. On the other hand, the malware detection device 1 may simultaneously execute a plurality of programs in a time period, and each program further includes a plurality of processing programs, and the detection of the malicious programs is performed by comparing a single program to detect Whether each program is a malicious program; therefore, the malicious program detecting device 1 must recognize which program is executed by a program. Accordingly, the processing unit 13 is further configured to append one of the programs corresponding to the program to the first-behavior specification. For example, the processing of the formula = _ (10) and the additional _ view; =:: is not intended to limit the scope of the present invention. The processing unit η then establishes and updates the behavior based on the aforementioned comparison results
==雜凑列表一le)’請參閱第5圖,其係描繪: 發月之仃為記錄表之示意圖。雜凑列表5係用以統計經處理軍元 13比對過後之惡意行為規餘是否累_成_惡意㈣, 計惡意行為之數目是否累積構成—惡意程式。如第5圖所示,二 凑歹J表5之惡意程式/惡意行為」棚位用以記錄處理單元η已比 ㈣的惡意程式編碼或惡意行為編碼,「程式辨識資訊」搁位用 ' ’彔比對到的惡思私式或惡意行為係由哪一程式所執行,「累 積數」欄位則記錄已比對到的惡意行為規範累積數目或已比對到 的惡意行為累積數目。 舉例來說,處理單元13於比對該第一處理程序符合編碼 A-1.1,7G之惡意行為規範後,便於雜湊列表5的「惡意程式/惡意 ,為」攔位記錄Α·卜於「程式辨識資訊」搁位記錄7〇,以= :累積數」襴位之數目增加i嗜此實施例中,A1之累積數由* ^加至5’代表處理單元13已比對到五個屬於惡意行為A】的惡 思订為規视。接著,處理單元13根據門檻資料庫4中惡意行為 A 1的行為規範數門檻值為5判斷此五個比制的惡意行為規範 已構成惡意行為A_卜因此,處理單元13更進—步將雜凑列表5 13 201224836 中惡f呈式A的累積數增加卜代表處理單元u目前已比對到屬 於惡思程式A的一個惡意行為。 亡同。理’當該程式執行—第二執行程序,處理單元Η更根據上述 :私比對4第—執行程序是否符合_惡意行為規範,並根據比對 =更新雜凑列表5 ;最後,處理單W3更可根據門檻資料庫4 :為數門檻值」欄位中的數值判斷已比對到的惡意行為數目 成,以式矛王式。藉由上述方式,本發明之惡意程式偵測裝 ί立。可逐—比對—程式中的各處理程序,並判斷該程式是否為- 心思秦ε式。 ^外二由第4圖之門檻資料庫4可得知,惡意行為Μ所包含 音心、意订為規範為卜2、3、4及5,處理單元13比對到此五種亞 打,中之一便會更新雜凑列表5中惡意行為 二 :,然而—程式亦可能重複執行了相同的處理程序兩次,舉例來 :一程式執行了兩次惡意行為A]所包含的惡意行為規範!,但 月况下惡意仃為“的累積數只能增幻,㈣將造成比對上的 ==為了避免這樣的情況,處理單元13必須進-步確認 疋否重複比對。 如前戶《,處理單元】3於自惡意行為資料庫㈣取出一第—編 將3亥第—編碼暫存於—串列表中,該串列表即可用以核 二Γ是否重複出現’當處理單元"自惡意行為資料庫3 帛-編碼後,處理單元13首先比對該第二編碼是 ^見於該串财t;若是,代纽朗_㈣意行為規範 處理軍元13即不更新雜凑列表若否,代表比對到不同的惡意 201224836 行為規範,此時處理單开^ q β Λ ,-Qa δ ^ 13 θ更新雜湊列表5。藉由此方式, 本發=惡讀式偵測裝置1可料因重複比對所造成的誤判。 \ : 1方式中’處理單元13係根據-程式之-處理程序建 Γ ’並比對該行為規範㈣合-惡意行為規範,立 =匕_方式為比對該行為規範之執行標的、執行動作以及鍵 4 ^料合惡意行騎料庫3巾所賴之惡意料規範。惟 部分加”㈣意程式之處理料巾⑽結資㈣可能是隨機變 '。之$建立出來的行錢範可能無法於惡意行為資料 庫3比對到完全符合的惡意行為賊,造纽對上的漏洞。 據此,為了克服此-缺點,本發明之惡意程式制裝置!更將 惡意程式之處理程序中的鏈結資訊分為三類,其分別為固定式鏈 結資訊、隨機式鏈結資訊以及隨機錢續式鏈結資訊,以下將分 別詳述針對此三_料訊的比對料。料,#—處理程序被 歸類為固^式鏈結資訊時,代表該處理程序的鏈結資訊是固定不 變的’亦即該處理程序每次執行時皆會產生相同的鏈結資訊處 理單元13根據該處理程序所產生的行為規範每次皆相同,因此處 理單元13可直接將該處理程序之執行標的執行動作以及鍵結資 訊與惡意行為㈣庫3作比對,亦即屬於"式鏈結資訊之行為 規範的比對係同時比對執行標的、執行動作以及鏈結資訊。” 其次,當一處理程序被歸類為隨機式鏈結資訊時,代表該處理 私序的鏈結資訊是隨機變動的,即鏈結資訊内容中的文字是隨機 產生的,並且只會出現一次而不會重複使用。舉例來說鏈結資 訊内容中包含一擋案名稱為隨機命名的exe檔,該.exe檔的檔案 15 201224836 名稱為隨機產生,因此該播案名稱每次皆不同。簡言之,該處理 知序母次執行時分會產生不同的鏈結資訊,處理單幻 理程序所產生的行為職每次皆不相同,因此處理單幻3於虞= 處縣料,只料理財之執行標㈣及執行動作與惡 二為㈣庫3作比對’亦即屬於隨機式鏈結資訊之行為規範的 比對只比對執行標的以及執行動作。 最後’當-處理程序被歸類為隨機且連續式鍵結資訊時,代表 «理程序的鏈結資訊是隨機變動且會連續出_,即鏈結資訊 内谷中的文字是隨機產生的,但會重複使用。舉例來說一惡帝 程式的—第—處理程序為「創造隨機名稱的htm槽」,其鏈^ ^中即包含—職名稱為隨機命名的偏檔,假設為abe.htm,而 該惡f程式的—第二處理程序為「寫人隨機名稱的htm檔」,其 鏈二貝π亦會包含abchtm,因此abchtm雖然為隨機命名但會 ^複出現於縣意程式之不同的處理程序中。據此,當—程式的 一第一處理程序被歸類為隨機且連續式鏈結資訊時,處理單元13 :將亥第4理程序的鏈結資訊暫存於—暫存雜凑列表中,當比 _程式的—第二處理程序時’處理單元13會比對該第二處:程 序疋否具有與暫存雜凑列表巾相同的鏈結資訊,若有,即代表該 ★地李主序符合—惡意行為規範。據此’藉由上述的比對方式, 4 ^轾式偵測裝置1將可有效地偵測各種加殼變種的a 意程式。 … 田耘式被比對為符合一惡意程式時,處理單元13更用以傳送 貞丨、°果至輸出單元15,輸出單元15更用以產生一影像或一音 16 201224836 =通知-使用者偵測到一惡意程式,輸出單元15可為顯示器、 揚聲器或其它可以用以呈㈣測結果之裝置,並不以此為限。 本發明之第二實施例如第6圖所示,其係為一種用於如第-實 施例所述之惡意程式_裝置之惡意程式偵測方法。該惡意程式 偵測裝置用以制—程式,且包含—儲存單元以及—處理單元, 以儲存—惡意行為資料庫,該惡意行為資料庫記錄 惡思程式之-惡意行為規範,該處理單元與該儲存單元電性連 接,该程式執行一第一處理程序。 卜第—實施朗描述之惡意程式侧方法可由—電腦程式 產品執行,當惡意程式偵測褒置經由一電腦載入該電腦程式產品 並執行該電腦程式產品所包含之複數個程式指令後,即可完成第 -貫施例所述之惡意程式偵測方法。前述之電腦程式產品可儲存 於電腦可讀取記錄媒射,例如唯讀記憶體(_nlymemory; 臟)、快閃記憶體、軟碟、硬碟、光碟、隨身碟、磁帶、可由 網路存取之資料庫或熟習此項技藝者所習知且具有相同功能之任 何其它儲存媒體中。 第6圖係描繪第二實施例之惡意程式仙方法之流程圖。首先, 此^意程式谓測方法執行步驟6〇1,令該處理單元根據該第一處理 私序建立-第一行為規範。接著,執行步驟6〇2,令該處理單元比 對5亥弟一行為規範與該惡意行為規範,並產生-比對結果。 縣意料偵測裝置之該儲存單元更儲存-門«料庫,該門 捏貝枓庫記錄該惡意程式之—行為城數門檻值以及 根值,該行為記錄表記錄-行為規範數以及一行為數,該惡意j 17 201224836 .、 ^測料接著執行步驟6G3,令簡理單元根據該比對結果更新 ^規乾數。以及’執行步驟綱,當該行為規範數達到該行為 6規值時’令該處理單元更新該行為數。最後,執行步驟 + A W仃為㈣_行為數⑽料,令域理單元判斷該程 式為該惡意程式。 此外’前述之該惡意程式# H 飞係包3一惡意行為,該惡意行為執行 &縣序’此惡意程式偵測方法於步驟_前更 步驟606(第6圖中未繪示), 丁 建立該惡意行為規範。”«科讀_第三處理程序 於步驟602中,係今兮彦w Dn 一 行為規範,並產生」比料果;7^對該+第一行為規範與該惡意 含該第-處理程序之一第一執=、,田而。’ e玄第1為規範包 執糕的、一第-執行動作以及-第 標的、二第=惡=為規範包含該第二處理程序之-第二執行 法於步驟_係: 第二鍵結資訊,此惡意程式偵測方 該第二執財的、订’處理單城過比對該第—執行標的與 比對令第:對該第—執行動作與該第二執行動作,以及 制第與該第二騎f㈣赵航對結果。 6圖中了 步驟外,此惡意程式偵測方法更可執行—步驟607 (第 簡加於該第—行為規範 矛王式辨識資 判斷該第-行為規範對::Γ 式辨識資訊 繪示),見範對應至5亥程式’以及一步驟_(第6圖中未 7 Μ理早疋產生與該惡意行 並以該編碼表示該惡意行為規範。 應為碼 201224836 除了上述步驟,第二實施例亦能執行第-實施例所描述之操作 及功能,所屬技術領域具有通f知識者可直接瞭解第二實施例如 何基於上述第-實施例以執行此等操作及功能,故不資述。 /上所述,本發明係為事先建立—惡意行為資料相及一門權 資料庫,該惡意行為資料庫記錄—惡意程式之—惡意行為規範, »亥門檻資料庫錄該惡意程式之—行為規範數門檻值以及一行為 數=檻值。當—程式於本發明之惡意程式偵測裝置執行—處理程 序時’惡意程式_裝置根據該處理程序建立—行為規範,比對 該行為規範與該惡意行聽範,並赵—比對結果;接著,根據 該比對結果更新—㈣職數,當該料規紐達_行為規範 數門根值時’更新—行為數,當該行為數達職行為數Η檻值時, 判斷該程式為該惡意程式。藉此,本發明係可克㈣知防毒軟體 之更新速度無法跟上加殼變種惡意程式之增加速度的缺點,同時 具有加速惡意行為之比對效率以及提高病毒程式之偵測率之優 上述之實施例僅用來例舉本發明之會 $月之貫施怨樣,以及闡釋本發明 之技術特徵,並非用來限制本發明 “疇。任何熟悉此技術 者可輕易元成之改變或均等性之安排 女排均屬於本發明所主張之範 圍’本么明之榷利保護範圍應以中請專利範圍為準。 【圖式簡單說明】 第1圖係為本發明第一實施例之示意圖; 弟2圖係為本發明行為規範之示意圖; 19 201224836 第3圖係為本發明惡意行為資料庫之示意圖; 第4圖係為本發明門檻資料庫之示意圖; 第5圖係為本發明行為記錄表之示意圖;以及 第6圖係為本發明第二實施例之流程圖。 【主要元件符號說明】 1 :惡意程式偵測裝置 11 :儲存單元 13 :處理單元 15 :輸出單元==Matching list one le)' Please refer to Figure 5, which depicts: The sequel to the month is a schematic diagram of the record table. The hash list 5 is used to calculate whether the malicious behavior after the processing of the military unit 13 is tired. _ _ malicious (four), whether the number of malicious acts accumulate constitutes - malware. As shown in Figure 5, the scams of the table 5 are used to record the malware code or malicious behavior code of the processing unit η. (4) The program identification information is used for '' The program that is compared to the malicious or malicious behavior is executed by the program. The "cumulative number" field records the cumulative number of malicious behavioral norms that have been compared or the cumulative number of malicious behaviors that have been compared. For example, after the processing unit 13 conforms to the malicious behavior specification of the code A-1.1, 7G, the processing unit 13 facilitates the "malicious program/malicious" of the hash list 5 to record the record. Identification information "Placement record 7〇, increase the number of =位 by = : accumulation number". In this embodiment, the cumulative number of A1 is increased from *^ to 5' to indicate that the processing unit 13 has been compared to five. The evil thinking of behavior A] is set to be a regulation. Next, the processing unit 13 determines that the malicious behavioral norms of the five ratios constitute a malicious behavior A_b according to the behavior norm threshold value of the malicious behavior A1 in the threshold database 4, and therefore, the processing unit 13 further advances The hash number list 5 13 201224836 The cumulative number of evil f expression A increases, and the processing unit u has now been compared to a malicious behavior belonging to the evil program A. Death. When the program is executed - the second execution program, the processing unit is based on the above: private comparison 4 - the execution program conforms to the _ malicious behavior specification, and according to the comparison = update the hash list 5; finally, the processing single W3 It is also possible to judge the number of malicious acts that have been compared according to the value in the Threshold Database 4: Number of Thresholds field, in the style of Spear King. In the above manner, the malicious program of the present invention detects the device. Can be - by comparison - the program in the program, and determine whether the program is - Xinsi Qin ε. ^External 2 can be learned from the threshold database 4 of Figure 4, the malicious behavior contains the timbre, the intention is set to be the specifications 2, 3, 4 and 5, and the processing unit 13 compares the five types of hits. One of them will update the malicious behavior 2 in the hash list: However, the program may repeat the same procedure twice, for example: a program executed two malicious behaviors A] ! However, in the case of the month, the malicious number is "the cumulative number can only increase the illusion, (4) will cause the comparison == In order to avoid such a situation, the processing unit 13 must further confirm whether the comparison is repeated. , processing unit] 3 from the malicious behavior database (four) to take a first - edited 3 Haidi - code temporarily stored in the -string list, the string list can be used to repeat whether the nuclear unit "when the processing unit" After the malicious behavior database 3 帛-encoding, the processing unit 13 first compares the second encoding with the string of money; if so, the dainuary _ (four) intentional behavior specification processing the military unit 13 does not update the hash list if no , representing the comparison to different malicious 201224836 behavioral specifications, at this time processing single open ^ q β Λ , -Qa δ ^ 13 θ update hash list 5. In this way, the present hair = malicious reading detection device 1 can be expected Misjudgment caused by repeated comparison. \ : 1 method 'processing unit 13 is based on the - program - processing program ' and compared to the behavior specification (four) - malicious behavior specification, vertical = 匕 _ way for comparison The behavioral specification of the behavioral specification, the execution of the action, and the key 4 Library 3 towels depend for the malicious material specification. However section plus "towel material processing resources (iv) (iv) ⑽ junction of programs intended to be random variations'. The $$ established by the money model may not be able to match the malicious behavior thief 3 to the fully compliant thief, creating a loophole. Accordingly, in order to overcome this-disadvantage, the malicious program device of the present invention! In addition, the link information in the malware processing program is divided into three categories, which are fixed link information, random link information and random money continuation link information, which will be detailed below for each of the three materials. The comparison of the news. Material, #- handler is classified as solid link information, the link information representing the handler is fixed', that is, the handler will generate the same link information processing every time it is executed. The behavioral specification generated by the unit 13 according to the processing program is the same every time, so the processing unit 13 can directly compare the execution action of the execution target of the processing program and the binding information with the malicious behavior (4) library 3, that is, belong to " The alignment of the behavioral norms of the link information is to compare the execution of the target, the execution of the action, and the link information. Secondly, when a handler is classified as random link information, the link information representing the private order of the process is randomly changed, that is, the text in the link information content is randomly generated and appears only once. For example, the link information content contains a file name named exe file, and the file name of the .exe file 15 201224836 is randomly generated, so the name of the file is different every time. In other words, the process of processing the parent-child execution will generate different link information, and the behaviors generated by the process of processing the single magic process are different each time, so the processing of the single magic 3 is 虞 = the county material, only the food The execution of the standard (4) and the execution of the action and the evil of the (four) library 3 for comparison 'that is, the comparison of the behavioral norms belonging to the random link information is only compared to the execution of the target and the execution of the action. Finally 'when - the handler is classified For random and continuous keying information, the link information representing the program is randomly changed and will continue to be _, that is, the text in the valley of the link information is randomly generated, but will be reused. For example, a evil The program-first handler of the emperor program is "create a html slot with a random name", and its chain ^ ^ contains the job name as a randomly named offset file, assuming abe.htm, and the evil f program - second The processing program is "the htm file of the random name of the person to write", and the chain 贝 π will also contain abchtm, so the abchtm is randomly named but will appear in the different handlers of the county program. According to this, when a first processing program of the program is classified into random and continuous link information, the processing unit 13 temporarily stores the link information of the fourth processing program in the temporary storage hash list. When the processing unit 13 of the _program - the second processing program, the processing unit 13 will have the same link information as the temporary hash table towel, if any, the representative of the Order conformance - malicious behavioral norms. According to the above comparison method, the 4^-type detecting device 1 can effectively detect the various programs of various shelling variants. When the field type is compared to conform to a malicious program, the processing unit 13 is further configured to transmit the image to the output unit 15, and the output unit 15 is further configured to generate an image or a sound 16 201224836 = notification - user A malware is detected, and the output unit 15 can be a display, a speaker, or other device that can be used to determine the result of (4) measurement, and is not limited thereto. A second embodiment of the present invention, as shown in Fig. 6, is a malicious program detecting method for the malicious program_device according to the first embodiment. The malicious program detecting device is configured to execute a program, and includes a storage unit and a processing unit to store a malicious behavior database, the malicious behavior database records a malicious behavior specification, and the processing unit and the processing unit The storage unit is electrically connected, and the program executes a first processing procedure. The malware side method described in the implementation of the Lang can be executed by a computer program product. When the malware detection device loads the computer program product through a computer and executes a plurality of program instructions included in the computer program product, The malware detection method described in the first embodiment can be completed. The aforementioned computer program product can be stored in a computer readable recording medium, such as read only memory (_nlymemory; dirty), flash memory, floppy disk, hard disk, optical disk, flash drive, tape, and network access The database is either familiar to any other storage medium known to those skilled in the art and having the same function. Figure 6 is a flow chart depicting the method of the malicious program of the second embodiment. First, the program description method performs step 6〇1, so that the processing unit establishes a first behavior specification according to the first processing private order. Next, step 6〇2 is executed to make the processing unit compare the behavior specification with the malicious behavior and generate a comparison result. The storage unit of the county's intended detection device further stores a door-stock library, which records the malicious program's behavioral city threshold and root value, the behavior record table record-behavior specification number and a behavior The number, the malicious j 17 201224836 ., ^ test then proceeds to step 6G3, so that the summary unit updates the number according to the comparison result. And the 'execution step outline, when the code specification number reaches the behavior 6 rule value', causes the processing unit to update the number of behaviors. Finally, the step + A W仃 is executed as (4)_behavior number (10), and the domain unit determines that the program is the malicious program. In addition, the aforementioned malicious program #H is a malicious act, and the malicious behavior is executed & county order' this malware detection method is in step _ before step 606 (not shown in Fig. 6), Establish this malicious code of conduct. "Lesson_third processing procedure in step 602, is the current behavior of the specification, and produces a "comparison"; 7^ the + first behavioral specification and the malicious inclusion of the first-processing program A first hold =,, and Tian. 'e Xuan 1st is the specification package, a first-execution action and - the first, the second = evil = the specification contains the second process - the second execution method in the step _ system: the second bond Information, the malicious program detecting party, the second-guarantee, the 'handling a single city over the first-performing target and the comparison order: the first-executing action and the second performing action, and the system With the second ride f (four) Zhao Hang on the result. In addition to the steps in Figure 6, the malware detection method is more executable - step 607 (the simple addition to the first - behavior specification spear king type identification to determine the first - behavior specification pair:: 辨识 type identification information display) , see the corresponding to the 5 hai program 'and a step _ (the 6th figure is not 7 Μ 疋 疋 疋 疋 疋 疋 疋 疋 疋 疋 疋 疋 疋 疋 疋 疋 疋 疋 疋 2012 2012 2012 2012 2012 2012 2012 2012 2012 2012 2012 2012 2012 2012 2012 2012 2012 2012 2012 2012 The operations and functions described in the first embodiment can also be performed. Those skilled in the art can directly understand how the second embodiment performs the operations and functions based on the above-described first embodiment, and therefore will not be described. / Above, the present invention is established in advance - a malicious behavior data phase and a rights database, the malicious behavior database record - malware - malicious behavior specification, » Haimen槛 database records the malicious program - behavioral norms The threshold value and the number of behaviors = the value of the threshold. When the program is executed by the malware detection device of the present invention, the "malware program" is established according to the processing program - the behavior specification, The code of conduct and the malicious behavior, and Zhao - comparison results; then, according to the comparison results updated - (four) number of posts, when the material rules _ _ behavior norm of the number of roots when the 'update - the number of behavior, When the number of behaviors is depreciated, the program is judged to be the malicious program. Therefore, the present invention is a disadvantage that the update speed of the anti-virus software cannot keep up with the increase speed of the malicious variant. At the same time, it has the advantages of speeding up the comparison of the efficiency of the malicious behavior and improving the detection rate of the virus program. The above embodiments are only used to exemplify the present invention, and explain the technical features of the present invention, and are not used. To limit the scope of the present invention, any arrangement that can be easily changed or equalized by those skilled in the art is within the scope of the invention. The scope of protection of the present invention shall be subject to the scope of the patent application. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a schematic view of a first embodiment of the present invention; FIG. 2 is a schematic diagram of a code of conduct of the present invention; 19 201224836 FIG. 3 is a database of malicious acts of the present invention. 4 is a schematic diagram of a threshold database of the present invention; FIG. 5 is a schematic diagram of a behavior record table of the present invention; and FIG. 6 is a flowchart of a second embodiment of the present invention. 1 : Malware detection device 11 : storage unit 13 : processing unit 15 : output unit
2 :行為規範 3 :惡意行為資料庫 4 :門檻資料庫 5 :雜湊列表2: Code of Conduct 3: Malicious Behavior Database 4: Threshold Database 5: Hash List
2020